Developing for Splunk Enterprise

How do I get the 8 standard alert action script parameters AND custom parameters defined in savedsearches.conf.spec into a custom Python alert action script at the same time?

Path Finder

I've been able to successfully access the 8 command line parameters passed into a regular alert action shell script just fine. Now I've graduated to building a custom alert action patterned after the python-based JIRA example.I can successfully access custom alert action parameters that I've defined in savedsearches.conf.spec and populated from a custom .html fragment. But I can't seem to also access the original 8 parameters in the same custom Python alert action script. How do I access both sets of parameters in the same script at the same time?

Thanks!

1 Solution

Path Finder

It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.

Thanks very much for the pointers, jdonn. Cheers!

{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
    "_eventtype_color":"",
    "_indextime":"",
    "_kv":"",
    "_raw":"",
    "_serial":"",
    "_sourcetype":"",
    "_time":"",
    "date_hour":"",
    "date_mday":"",
    "date_minute":"",
    "date_month":"",
    "date_second":"",
    "date_wday":"",
    "date_year":"",
    "date_zone":"",
    "eventtype":"",
    "host":"",
    "index":"",
    "linecount":"",
    "punct":"",
    "source":"",
    "sourcetype":"",
    "splunk_server":"",
    "timeendpos":"",
    "timestartpos":""}
}

View solution in original post

Path Finder

It turns out the entire circumstances of the alert were in fact available in the payload passed to my custom Python script via sys.stdin.read(). The example from which I derived this script only showed getting the custom configuration parameters via payload.get('configuration'). I had no idea there was a so much more structure to that payload because I couldn't find any Splunk documentation on it. I've included a snapshot of the full payload structure below. Respectfully suggest that Splunk folks incorporate some good explanation of this structure into their otherwise very helpful documentation.

Thanks very much for the pointers, jdonn. Cheers!

{"app":"",
"owner":"",
"results_file":"",
"results_link":"",
"server_host":"",
"server_uri":"",
"session_key":"",
"sid":"",
"search_name":"",
"configuration":{"myCustomParam1":"","myCustomParam2":"","myCustomParam3":"","myCustomParam4":"","myCustomParam5":""},
"result":{"_confstr":"",
    "_eventtype_color":"",
    "_indextime":"",
    "_kv":"",
    "_raw":"",
    "_serial":"",
    "_sourcetype":"",
    "_time":"",
    "date_hour":"",
    "date_mday":"",
    "date_minute":"",
    "date_month":"",
    "date_second":"",
    "date_wday":"",
    "date_year":"",
    "date_zone":"",
    "eventtype":"",
    "host":"",
    "index":"",
    "linecount":"",
    "punct":"",
    "source":"",
    "sourcetype":"",
    "splunk_server":"",
    "timeendpos":"",
    "timestartpos":""}
}

View solution in original post

Splunk Employee
Splunk Employee

Hi,

I have always used Perl for this, but that should not matter. The arguments are passed in @ARGV. I Googled how to access that in Python and I found these two link pretty useful:

http://www.pythonforbeginners.com/system/python-sys-argv

http://stackoverflow.com/questions/4117530/sys-argv1-meaning-in-script

I hope that helps.

0 Karma

Path Finder

Thank you. When my python script is run, it sees len(sys.argv) = 2. sys.argv[0]=full path to my script, and sys.argv[1]='--execute' both of which I expect. Per the Jira example, the script does a sys.stdin.read() to get the 'payload', which contains the custom parameters I've defined in savedsearches.conf.spec. So perhaps a better question is 'how do I get the 8 standard parameters to be included in the payload'. Here's the script I adapted from the Jira example.

import sys
import json
import requests
from myapp_helpers import get_myapp_password
def send_message(payload):
    config = payload.get('configuration')
    EXECUTE_ASYNC_PATH = "/mypath"
    url = config.get('myapp_url')
    myapp_url = url + EXECUTE_ASYNC_PATH
    body = json.dumps({
        mybody
        })
    print >> sys.stderr, "*****about to POST to: %s" % url
    try:
        headers = {"Content-Type": "application/json"}
        result = requests.post(url=myapp_url, data=body, headers=headers)
        print >>sys.stderr, "INFO myapp app launch HTTP status= %s" % result
        print >>sys.stderr, "INFO myappapp launch server response: %s" % config
    except Exception, e:
        print >> sys.stderr, "ERROR Error sending message: %s" % e
        return False

if __name__ == "__main__":
    if len(sys.argv) > 1 and sys.argv[1] == "--execute":
        print >> sys.stderr, "****HERE IS THE len(sys.argv)****: %s" % len(sys.argv)
        print >> sys.stderr, "****HERE IS THE sys.argv****: %s" % sys.argv
        try:
           raw_payload = sys.stdin.read()
            payload = json.loads(raw_payload)
            send_message(payload)
        except Exception, e:
            print >> sys.stderr, "ERROR Unexpected error: %s" % e
            sys.exit(3)
    else:
        print >> sys.stderr, "FATAL Unsupported execution mode (expected --execute flag)"
        sys.exit(1)

Appreciate the help!

0 Karma

I have created a setup.xml file for my app and saving user name and password in alert_actions.conf. I am reading those parameters in Python script using similar code mentioned here. But the problem I am facing is the configuration passed to the python script does not gets the updated values of the service end points I used.

0 Karma

Path Finder

Hey, sorry about the formatting mess...

0 Karma

Splunk Employee
Splunk Employee

I am out of my depth here for Python specifics, but I did find another example Python script - https://github.com/georgestarcher/Splunk-Alert

Perhaps the answer is in there?

0 Karma

Path Finder

I tried os.environ['SPLUNK_ARG_8'] as shown in the cited example, but no SPLUNK_ARGs were in the environment. I did finally figure it out - explained the next post.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!